An Indirect Adaptive Control Scheme in the Presence of 
Actuator and Sensor Failures 


Joy Z. Sun* 

NCA&T State Univ./National Inst, of Aerospace, Hampton, VA, 23666, USA 

and 

Suresh M. Joshi 1 ^ 

NASA Langley Research Center, Hampton, VA, 23681, USA 


The problem of controlling a system in the presence of unknown actuator and sensor 
faults is addressed. The system is assumed to have groups of actuators, and groups of 
sensors, with each group consisting of multiple redundant similar actuators or sensors. The 
types of actuator faults considered consist of unknown actuators stuck in unknown positions, 
as well as reduced actuator effectiveness. The sensor faults considered include unknown 
biases and outages. The approach employed for fault detection and estimation consists of a 
bank of Kalman filters based on multiple models, and subsequent control reconfiguration to 
mitigate the effect of biases caused by failed components as well as to obtain stability and 
satisfactory performance using the remaining actuators and sensors. Conditions for fault 
identifiability are presented, and the adaptive scheme is applied to an aircraft flight control 
example in the presence of actuator failures. Simulation results demonstrate that the method 
can rapidly and accurately detect faults and estimate the fault values, thus enabling safe 
operation and acceptable performance in spite of failures. 


I. Introduction 

C OMPONENT failures in dynamic systems can cause loss of performance and even catastrophic instability. In 
particular, actuator and sensor failures in flight control systems can result in loss of control leading to serious 
incidents. Therefore, fault-tolerant control (FTC) has been an active area of research for the past several years. The 
research in this area has essentially progressed in two directions: an indirect adaptive control approach consisting of 
parameter estimation and fault detection, isolation/identification, and control reconfiguration (FDIR); and direct 
adaptive control [1-5], wherein the control law is directly updated using the difference between the actual and 
desired response, without explicit parameter estimation and FDIR. A considerable amount of research has focused 
on both approaches. Some of the literature on indirect adaptive (reconfigurable) control deals with faults, e.g., [6, 7]; 
however, adequate attention has not been paid to design of fault detection and isolation/identification (FDI) and FTC 
in an integrated manner for online and real-time applications using indirect adaptive methods. 

The growing demand for reliability and safety in dynamic systems has resulted in significant stimulation of 
research in fault-tolerant control. A recent survey paper [8] provides bibliographical review of FTC. In general, 
existing fault-tolerant control system design methods are based on the following major approaches: linear quadratic 
regulator (LQR)[9], eigenstructure assignment [10], multiple models [11], pseudoinverse [12], neural networks 
[13], and adaptive control[l-5]. Some FTC methods include a strategy involving a fast subsystem for FDI and a 
supervisory system that chooses the corresponding controller for a particular type of fault. The most researched and 
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mature area in FDI is the residual generation approach using observers [14 ]. Recently, several new FDI methods , 
such as Extended Kalman filter (EKF) and Variable Structure Filter, agent-based diagnosis, and unknown input 
observers based method, etc, have been developed for fault detection and identification [15-19]. 

In much of the literature, FDI and FTC are studied independently. More specifically, most of the FDI techniques 
are developed as a diagnostic or monitoring tool, rather than an integral part in FTC. One notable exception is 
multiple-model (MM) based methods that employ banks of Kalman filters. MM-based adaptive control has resulted 
in different approaches: the multiple model adaptive control (MMAC) [20], multiple model adaptive estimation 
(MMAE)-based control [21, 22], and multiple model switching and tuning (MMST) [23, 24]. These methods 
employ banks of observers or Kalman filters (KF) wherein each observer or KF is tuned to one of several models 
corresponding to a set of parameters or a failure scenario. The MMAC method and the MMAE method employ KFs 
and probability-based hypothesis testing to determine the correct model. The MMAC method was originally 
developed to accommodate varying flight conditions in aircraft control (with no failures), while the MMAE method 
was developed mainly to handle failures. The main difference between these two methods is the manner in which 
the controller is designed and implemented. In the MMAC method, a separate controller is associated with each KF, 
and the control input is the probability-weighted average of the individual control inputs, whereas in MMAE-based 
control, a single controller is used [21], which can be scheduled using probability- weighted parameter estimates. 
The MMST method involves switching to the model that is ‘closest’ to the failed plant and adapting from there. 

The MMAE-based adaptive control approach has been investigated extensively for aircraft control in the 
presence of failures and has shown considerable promise. In [25], the MMAE method for FDI was extended to 
include actuator failures with constant unknown biases. This method, called the Extended MMAE (EMMAE) 
method, was also applied to nonlinear systems by using banks of Extended Kalman Filters (EKF), resulting in a 
promising method for actuator FDI under varying flight conditions. 

The MMAE and EMMAE-based FDI methods are based on hypothesis testing using parallel banks of KFs or 
EKFs, which have a high complexity and require considerable real-time computation. It was reported in [22] that the 
MMAE method showed promise but indicated some difficulty in the case of multiple failures and simultaneous 
actuator and sensor failures. The results in [25], which considered only actuator faults, indicated a substantial time 
delay (several seconds) in identifying the faults, and proposed a supervisory module that generates an auxiliary 
excitation signal which can improve the speed of FDI. The resulting FDI scheme was able to detect and isolate 
actuator faults in 2-4 sec. 

In safety critical applications such as aerospace vehicles, it is often highly desirable- if not essential- to detect 
and identify faults very quickly (less than a second) in order to maintain stability, maneuverability, and safe 
operation. This may require a substantial reduction of complexity, which is also desirable from the point of view of 
implementation, validation, and verification that will be required for certification. Another issue in this regard is that 
analytical results (such as closed-loop stability using the MMAE state estimate for feedback) need to be addressed. 
Furthermore, the results of the MMAE-based methods (i.e., conditional probabilities used to identify faults) depend 
on the values of the process- and measurement- noise. While the sensor noise variance is provided by the vendor or 
can be obtained experimentally, the process noise covariance is not known and is usually chosen by the designer. 
This calls into question the accuracy of the computed conditional probabilities. In addition, it is highly desirable to 
analytically establish conditions under which single and multiple faults (in both actuators and sensors) are 
identifiable. This paper aims to address these issues and to simplify the MM-based approach to FDI and adaptive 
control. 

We propose an indirect adaptive control scheme for fault tolerance based on the EMMAE method wherein 
unknown actuator and sensor faults are rapidly detected and estimated using a bank of constant-gain Kalman filters 
(KFs). The system is assumed to have groups of actuators and groups of sensors, with each group having multiple 
similar actuators or sensors, some of which may fail in unknown positions. The proposed FDI approach aims to 
simplify the MM-based FDI methods by investigating the use of constant-gain KFs and simpler decision process 
based on residual covariances. After detection and estimation of the faults, control reconfiguration is performed to 
mitigate the effect of failed components and to obtain stability and satisfactory performance. The utility of the 
proposed approach lies in its ability to provide quick fault detection and identification as well as nearly 
instantaneous reconfiguration with low computational overhead, which makes feasible the use of a large number of 
failure models. Analytical conditions for identifiability of actuator and sensor faults are given, and simulation results 
are presented for an aircraft flight control problem. It is shown that actuator faults and sensor biases cannot be 
identified simultaneously using the current MM approach. To alleviate this problem, some alternative methods for 
sensor FDI using redundant sensors are suggested. The results demonstrate that the method can rapidly and 
accurately detect and estimate the faults and provide safe operation as well as satisfactory performance. The purpose 
of this paper is to focus on the FDIR problem; therefore the nominal system parameters are assumed to be known. 
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The paper is organized as follows. Section II addresses the actuator failure problem and proposes a simplified 
MM-based adaptive (FDIR) scheme. Section III presents simulation results for application to an aircraft flight 
control problem. Section IV considers sensor fault detection and identification, as well as the case with simultaneous 
actuator and sensor faults. Section V includes simulation results with sensor faults and simultaneous actuator and 
sensor faults. Section VI contains a discussion of the issues and Section VII presents some concluding remarks. 

II. Actuator Failures 

We consider systems having several (m) groups of actuators wherein each group has multiple similar actuators. 
The system is represented as: 


V 1 V 2 

x = Ax+b^Uu +& 2 £ m 2i + + KYj u ™ +v o (1) 

1=1 1=1 1=1 

y = Cx + w (2) 


where jcg R nx \ Uj.e R ,Ag R^^b.s R"* 1 ^ = l,2,...m),Ce R lxn respectively denote the state vector, ith input in 

the yth actuator group, the system matrix, the input matrix for the z'th actuator group, and the sensor output matrix; 
v 0 e R n , we R l are process noise and sensor noise (assumed to be white and Gaussian) having covariance intensities 

V 0 and W. 


A. Actuator Failure Model 

We consider the following type of actuator failures, wherein some of the actuators are stuck at some unknown 
constant values. Suppose ntj out of V j actuators in the yth actuator group fail. Let Q, denote the set of indices 

corresponding to the failed actuators in the yth group 
A failure is modeled as 


Ujt = Ujf , ie Q J, for t > t jt , j = 1 , 2 ,..., m 


( 3 ) 


That is, the z'th actuator in the yth group gets stuck at a constant value U y - at time t - The failures are assumed to 
occur at unknown instants of time t ~ . 

Assuming that at least one actuator within each group is working, Eq. (1) can then be written as 


x = Ax + b l ^u u +.... + b m ^ u mi + BU = Ax + B 










y 


+ BU + 


( 4 ) 


where 


U = [U, U 2 ...UJ; Uj = ^ u jt 


( 5 ) 

( 6 ) 


Remark- In (4), we had assumed that at least one actuator within each group is working. However, if some of the 
groups experience failures of all actuators within the group, (4) is modified as 




x = Ax + BF“ 


+ BU + Vq 


j 
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where F denotes an mxm diagonal matrix with unit entries corresponding to groups that have at least one 
functioning actuator, and zero entries corresponding to groups in which all actuators have failed. (If at least one 
actuator in each group is working, F =/). 

In this approach, we do not try to determine which actuator within a group has failed, but rather how many 


actuators have failed in each group, as well as the failure value \J ■ The number of failure states is 


«/ = f[( v ; +1 ) 


7=1 

(including the “no failure” case), which can be a large number, especially if multiple failures are possible. For 
example, an aircraft having doubly redundant elevator, ailerons, and rudder will have 27 actuator failure states. 


B. The Adaptive Control Scheme 

The objectives of the adaptive control scheme are to 

i) Detect the actuator failure 

ii) Identify the failure: determine 

a. Which actuator groups have failed actuators 

b. How many actuators within each group have failed, and 

c. Failure value estimates 

iii) Reconfigure the controller using the non-failed actuators to 

a. Mitigate/cancel out the effect of the fault ( BU ) to the maximum extent possible 

b. Redesign controller gains for satisfactory performance 

The first task is to determine the conditions under which the actuator failures will be identifiable from the sensor 
measurements. 


C. Tdentifiability of actuator failures 

The approach to FDI considered in this paper is based on the MM approach which uses use a bank of Kalman- 
Bucy filters (KBF), each of which is tuned to a different failure-state model. The model that is the most likely 
representation of the actual situation (indicated by hypothesis testing based on criteria such as covariance of the 
residuals) identifies the failure state. An advantage of this approach is that each failure state model is still linear; 
therefore KBF (rather than EKF) can be used for fault detection and estimation. Following the approach of [25], 
since the actuator faults are assumed to be constant, they can be estimated by augmenting the unknown U to the 
system dynamics and designing a KBF. The augmented system is: 




P \ 


A 

0 


B 1 

o[] 




*1 

0] 




feO i 


L <Ci '] 


+ v 


(7) 


y=[c o lxm tf+w (8) 

where v = [v^,v^] r , v v being a fictitious noise added for estimating U . The following theorem gives a 

necessary and sufficient condition for fault identifiability. It is assumed that B and C have a full column- and row- 
ranks. 

Theorem L For the system described in (4), the actuator faults (U ) in (6) are identifiable if and only if (C, A) is 
observable, / > m , and the system ( C ' A, B) has no transmission zeros at the origin. 


Proof- Denote 



*1 

0j 


C £ =[C 0.1 


(9) 
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The fault is identifiable if and only if [C^ , A, ] is observable. Applying the PBH rank test, this pair is 
observable if and only if 


'si -A -B] 

0 sl m 

C 0 J 


= n + m for 5 = A(A), and s = 0 


( 10 ) 


where p[.] denotes the matrix rank. Since (C, A) is observable, the first n columns of the test matrix in (10) are 
linearly independent for all s. For s 0, the last m columns form an independent set and are also independent of the 
first n columns, i.e., p = n+m.. At 5 = 0 , p=min(«+w, «+/) if and only if the system (C,A,B) has no transmission zeros 
at the origin. Thus the condition (10) can hold if and only if l >m and ( C,A,B ) has no transmission zeros at the origin. 


Remark 1- If t>m , ( C ' A, B) is non-square system and almost always has no transmission zeros; thus the faults are 
identifiable. Also, if /=« and C is nonsingular, it can be readily shown that the condition (10) holds and the faults are 
identifiable. 

Remark 2- The condition in Theorem 1 corresponds to the models for which at least one actuator in each group has 
failed. For cases where some actuator groups have no failures, the “5” matrix in (9) would consist of only columns 
corresponding to actuator groups having at least one failure. Thus there are 2 m - 1 values of the “5” matrix in (with 
varying column dimension) corresponding to all the models when there is at least one failure. 


D. Failure Detection/Estimation Filters 

A constant-gain KBF is designed for each of the /^failure models: 




51 

0] 


Z M J 




Z 

L <U, 1 


+ L(y - Cx ) 


(10) 


where L is the Kalman gain, which is time-varying in general. Because the system is linear and time-invariant 
(between failures), L can quickly converge to a steady-state value; therefore we shall investigate the use of constant- 
gain KBFs as FDI filters. This permits the use of pre-designed KBFs, resulting in significant reduction in real-time 
computation, which in turn would make it possible to handle a large number of models (failure states). Note that a 
separate KBF is designed for each actuator state described by the set (fl?, CI 2 , . . . O m ). 


E. Discrete-Time Implementation 

From the implementation point of view, the discrete-time formulation is more suitable than continuous time since 
the Kalman filters* (KFs) can be easily implemented in discrete-time. Thus (7), ( 8 ) are replaced by 


£(*+ 1) 


x(k + 1 ) 1 

e7(*+i)[] 


A B] 

L° *!] 


m+ 


Bl 

L°j 


Z«w(*),l 




Z "««■(*) 




+ v(k) 


0 mxl ] 


( 11 ) 


y(k) = [C o u jm + Mk) (12) 

where, without changing the notation, A , B denote the discretized system- and input-matrices. The statement of 
Theorem 1 changes to the following: 


t 


Kalman filter refers to the original discrete-time filter; the Kalman-Bucy filter refers to the continuous-time version 
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Theorem la. For the system described in (11), (12), the actuator faults are identifiable if and only if ( C ' A) is 
observable, l >m , and the system (C, A, E) has no transmission zeros at z= 1 . ■ 

The Kalman filter (one for each actuator failure state) is given by 

i(k) = i(k Ik- 1) + L(k)[y(k) - Cx(k Ik- 1)] (13) 


where 


g(k/k-l) = Aj(k-l) + 






luJk-V) 


0 


mx 1 




(14) 


The Kalman gain update equations may be found in standard texts. (In this paper, the use of constant-gain KFs is 
investigated in order to reduce the complexity and real-time computational requirements). 


F. Failure Identification Criteria 

In the standard multiple model hypothesis testing approach [20, 21], to detect and identify the failure, a KF is 
designed for each of the n f actuator state models. To determine which model correctly represents the actual actuator 
failure state, the conditional probability for the ith model is computed as 

p (7 .) = P(P, j Y k) = P(y k )/?,(*-!) (15a) 

£ piy k / ^ > Y k-\ )Pj(k- 1 ) 

7=1 


where 


P(y k le n Y k- i) = 


r Y \k)R \ k)r (k ) 

2 i i i 

a 


(2n) | Rf(k) | 


1/2 


/ = 1, 


(15b) 


9t represents the rth model, Y k ={y(0), y(l), . . . y(k) }, ^(A:) is the state estimate based on the zth model and 
r i (k) = y(k)-Cx i (k! k-\)i$ the residual corresponding the zth model. The model having the largest p t (k) is 

declared to be the correct model, and the state estimate is given by a weighted sum of the individual KF state 
estimates weighted by the corresponding conditional probabilities: 

*(*)=Z*(*)M*) ( 16 ) 


An alternate method would be to just use the state estimate jf. (k) corresponding to the model with the 
highest Pi (k). 

This approach has a high requirement for real time computation. In addition, since the process noise covariance 
not known but is assumed in the KF design, the calculated probabilities used in decision-making do not necessarily 
represent the true probabilities. Therefore we propose a simpler heuristic method, i.e., to compute and compare the 
residual norm squared, 7>[i?.(A;)] = E[r[ (k)r(k )] , which can be also be weighted by R7 l (k) or W~ l (k ) , and choose 
the model (and the state estimate) that corresponds to the smallest value. 


G. Reduced Actuator Effectiveness 

Another type of actuator anomaly is reduction of actuator effectiveness {actuator “fading”) by an unknown 
factor y £ [0,1] . That is, 


^ actual ~ Y U desired 
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It is possible to address such an anomaly in the multiple model, multiple actuator framework by using quantized 
levels of y , the actuator “fading factor”. For example, with 1 1 levels of actuator effectiveness, y={ 0,0.1, 0.2,., 1 } , 
this would be similar to having 10 identical actuators in the group, some of which may fail and produce zero 
actuation. Because there is no bias to be estimated, state equation augmentation as in (7) is not needed. 

H. Controller Reconfiguration 

After the failure state (model) is determined, it will be necessary to reconfigure the controller. Controllers tuned 
for each models can be pre-designed using a chosen method, such as LQG, H 2 , or R * - based controller, provided 
that ( A,BF a ) is controllable. In addition, the control input must also cancel the effect of the fault, represented by the 
term B U . If there are one or more non-failed actuators within each group, the corresponding component 

bUj » bjUj can be cancelled (provided that sufficient actuation authority is available), since the failure state (and 

therefore the number of failed actuators within each group) has been determined. If all actuators within a group have 
failed, complete cancellation would be possible only if the columns of B corresponding to non-failed actuators span 
the space of columns corresponding to the failed ones. If cancellation of the bias term is not possible, its effect can 
be minimized using a least-squares approach. 

The FDIR scheme considering two elevators is illustrated in the Figure 1 . 



Figure 1. Indirect Adaptive Control Scheme with FDIR 

This procedure is demonstrated by an example application to aircraft flight control. 

III. Example Application- Aircraft Flight Control with Actuator Failures 

In this section, we present simulation results to demonstrate the performance of the proposed indirect adaptive 
control scheme in the presence of actuator failures, which include stuck actuators as well as reduced throttle 
effectiveness. 

A. Problem description 

For the purpose of testing the method and the decision criteria described in Section II, we consider a fourth-order 
longitudinal dynamics model of a large transport aircraft in a cruise condition. The state variables are: pitch rate q 

(deg/sec), true airspeed v (m/sec), angle of attack a (deg), and pitch angle 9 (deg). The main actuator consists of 
two elevators (each elevator consists of a pair of control surfaces, one on each side, that operate symmetrically). The 
two elevator inputs are u n and u l2 . The total engine thrust (equal in all engines) is used as a secondary actuator. 
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The individual engine thrusts have been aggregated to produce a single control input U 2 . 
(ignoring noise) is 

x = Ax + b x (u n 4 - u l2 ) + b 2 u 2 
y = Cx 


The nominal model 


(17) 


where x = [q v a 6 ] T ; 

The system matrices (continuous-time) are 


-0.6803 0.0115 -1.0490 
-0.0026 -0.0062 -0.0815 
1.0050 -0.0344 -0.5717 

0 

-0.1 70S 
0 

1 

\ b x = 

'-44.5192 

0 

-11.402' 

1 

, f b 2 = 

' 0.8824" 
1.3287 
-0.040 

1.0000 0 0 

0 

J 

0 

J 

. o J 


(18) 


We assume that fault-free (although noisy) measurements of the states are available, i.e., there are no sensor 
faults and only actuator faults are considered. The two groups of independent actuators are elevator and throttle. We 
define a failure of each elevator as in Eq. (3), i.e., stuck in an unknown position. For the purpose of this example, the 
throttle is treated as a single input that is subject to a fading factor (i.e., reduced effectiveness factor) y T of: 1 (full 
effectiveness), 0.75, 0.50, or 0.25. (This would be equivalent to having four equal thrust actuators, of which up to 3 
actuators may fail and produce zero thrust ( U 2i = 0 )). The corresponding failure states are shown in Table I. 


Table 1 : Actuator failure models 


^Elev Xljrust^^ 

© 

M 

1: ft. = 0.75 

2:/ t = 0.50 

3:/ t = 0.25 

0: No failure 

Model 00 

Model {)] 

Model 01 

Models 

1 : One failure 

Models 0 

Models j 

Model u 

Mode^ 

2:Two failures 

Model 20 


Models 

Model 23 


The system is discretized at a sampling rate of 100Hz. A bank of 12 KFs will be needed for performing FDI. 

We shall first consider the case when there is no engine failure, i.e., there are three failure states corresponding to 
the first column of Table I. We will need to construct 3 KFs corresponding to models (0,0), (1,0) and (2,0) as 
described in Section II. In designing the KFs, we choose process noise covariance intensity V that provides a KF 
design with good dynamic characteristics (e.g., sufficiently rapid error decay), while the sensor noise covariance 
intensity W is determined by the instrumentation. The noise covariance intensities (continuous-time) used in this 
example are 

V 0 = diag(0.1 160,2.3094, 0.9238,0.7167); W = diag( 0.04565,0.048129,0.0567,0.019440) (19) 

The equivalent discrete-time covariance intensities are approximated by dividing the continuous-time intensities by 
T, the sampling period. 

When the state vector is augmented with U , the process noise covariance intensity is appropriately augmented 
with additional diagonal terms corresponding to variance intensities of the fictitious noise V u . The three KFs are 
based on discrete-time versions of the following models: 

1) Models : no failures 


x = Ax + b x (u n + u l2 ) + b 2 u 2 
y = Cx 


( 20 ) 


2) Mode^ : one elevator is stuck 
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In this case, one elevator (e.g., u n ) is stuck at a position u n . The state vector is augmented with U u : 


i jl_ 

'A bj 

r* i 

+ 

w J 

u n + 

An _l 

0 0] 

_«n j 

0 J 12 


3) Models : both the elevators are stuck. 


Where: 


"*jl_ 

'A b t 1 

r*i r 
+ 

_«lj 

0 0] 



\ l 

u 

o] 


U l =u [ 1 +u n 


( 21 ) 


( 22 ) 

(23) 


B. Elevator Failure Detection and Identification Results 

It is assumed that the aircraft is in a cruise condition, with a nominal LQ state feedback control law. Suppose one 
elevator fails at 1= 5 sec and gets stuck at 4 deg. (the angle is relative to the trim value). Then at t= 15s, the second 
elevator also fails and is stuck at -1 deg. (Since the objective is to detect and identify faults, the control law is not 
reconfigured in these initial simulations). We first present the fault detection results based on the EMMAE method 
[25]. Figure 2 shows the probability indices (i.e., the conditional probabilities defined in Eq 15) for the three models. 
In the simulations performed, the MMAE method was not able to accurately detect the first elevator fault at t= 5s, as 
indicated by the probability index of Model m (no faults) which remains at around 1.0 and both of the indices of 

Model^Q (one faulty elevator) and Model 20 (two faulty elevators) stay close to 0 for 0 < t < 15.5^ . Also, it can be 
seen from Figure 2 that the probability index of Model 10 increases to 1.0 at t= 15.5 s and then slowly decreases to 0.2 
(the threshold) at t= 37s, while, the probability index of Model 10 increases to 0.8 (threshold). This suggests that 
although an elevator fault is detected, it is inaccurately identified as single elevator fault during 15.5^ < t < 31s 
while the actual fault in both elevators occurred at 15 sec. 



Figure 2. Detection results for the MMAE method. 

We shall next present simulation results for fault detection using constant-gain KFs and unweighted and 
weighted residual variances of the three KFs. The inverse of the residual covariance matrix was used as the weight 
in the weighted residual variance method. The decision criterion is to choose the model with the smallest residual 
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variance. The results for the unweighted and weighted residual variances are shown in Figures 3 and 4. The top two 
plots in Figure 3 A, 3B show the time-histories of the two elevators. As stated previously, the nominal state feedback 
control law is assumed to be on (with no reconfiguration) throughout the simulation. It can be seen that, even 
without reconfiguration, Elevator 2 tries to compensate for the failure of Elevator 1 at t= 5s. The three lower plots in 
Figure 3A shows the unweighted residual variances for the three models, while the weighted residuals are shown in 
Figure 3B. The actual and estimated elevator failure values are shown in Figure 5. It can be seen that both the failure 
state and the failure value are correctly identified within about 0.5s. However, after the occurrence of the first fault 
at *=5s, the difference between the residual variances of Mode /, 0 and Model 20 , although visible, is not significant, 
(Figures 4A and 4B), which implies that the residual-based FDI method may not always be able to clearly 
distinguish between the one-elevator fault and the two-elevator fault. However, the two-elevator fault, which occurs 
at 2= 15s, is clearly distinguished from the one-elevator fault. The un-weighted and weighted residual variance 
methods gave a similar performance. Several failure cases and scenarios were simulated similar to this one, and gave 
similar results. In all cases, the failure value was identified rapidly and accurately. 


!l 
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Figure 3A: Unweighted residual signals of three models for elevator fault detection 


Elevator Status 


20 



*0 5 10 15 20 25 30 35 40 45 50 




0 5 10 15 20 25 30 35 40 45 50 


Weighted Residual Variance 



0 5 10 15 20 25 30 35 40 45 50 



Time (sec) 


Figure 3B: Weighted residual signals of three models for elevator fault detection 
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Figure 4A. Comparison of unweighted residual Figure 4B. Comparison of weighted residual signals: 

signals: Model 1 VS Model 2 Model 1 VS Model 2 
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Figure 5. Estimation of the elevator status. 

C. Throttle Fading Failure Identification Results 

The case with no control surface failures but with throttle fading is considered next using four models: Model 00 
(y T =1, no fading), Models (y T =0.75, 25% fading), Models (y T =0.5, 50% fading), and Models (y T = 0.25, 
75% fading). Suppose throttle fading occurs as shown in Figure 6, that is, during 0 < t < 0.5s , 0% fading (y actual = 1 ); 
during 0.5s < t < 5s , 80% fading ( y actual = 0.2 ); during 5s < t < 1 0s , 5% fading ( y^^ = 0.95 ); during 1 0s < t < 1 5s , 
30% fading (y actual = 0.7); for t > 15s , 45% fading = 0.55). The actual fading factors are deliberately chosen 
to be slightly different from those in the models. As in the previous simulations, the nominal state feedback control 
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law was on throughout the simulation. Figure 7 shows the ideal (no fading) and actual thrust. Using the MMAE 
method, as shown in Figure 8A, only the fading at 0.5s could be identified. With the residual variance method, as 
shown in Figure 8B, the model with the smallest residual variance accurately suggests that relative throttle fading 
occurred at 0.5s, 5s, 10s and 15s, respectively. Figure 9, 10, 11, 12 show the comparisons of the residual signals of 
the four models around 5s, 10s and 15s, where the differences in the residual variances are magnified for clarity. 
Although the fault identification is technically correct, the differences are rather small. Therefore it was concluded 
that the throttle fading fault detection and estimation is not satisfactory and needs further investigation. In [25], an 
auxiliary sinusoidal persistent excitation input was proposed with the EMMAE method for improving the speed of 
fault detection and identification. We are investigating similar methods for use with the residual variance method. 
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Figure 6. Throttle Health Index 


Figure 7. Ideal and actual thrust 
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Figure 8A. Probability indices of four models for throttle fault detection (MMAE method ) 
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Figure 8B. Unweighted residual signals of four models for throttle fault detection 



Figure 9. Comparison of residual values 
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Figure 10. Comparison of residual values 
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Figure 11. Comparison of residual values 

Tactual = °- 7 for 10s<*<15s 



Figure 12. Comparison of residual values 

Tactual 0 - 55 f0r *> 155 


D. Controller Reconfiguration 

The FDI results shown above used the nominal state feedback control law in all the simulations, since the 
purpose was to investigate the efficacy of the FDI approaches. To obtain better performance, the controller should 
be reconfigured after each fault is identified. 

First considering the elevator faults, when one elevator failure is identified and its failure value is estimated, the 
command to both elevators should be: 

u c 2 = ~ u n ~ 2KX\ 

where x x is the state estimate from Model 1 . (In general, if there are y. actuators in Group j, the actuator command, 

consisting of the sum of the negative of the estimated bias and the feedback input, would be distributed over the 
estimated number of non-failed actuators). When both elevators fail at t= 15s, the throttle is the only available 
control input. Although the system is still controllable, it is no longer possible to eliminate the bias since b 2 is not 
parallel to bj; therefore, the bias is minimized in the least-squares sense and the controller (LQ state feedback) is 
redesigned using the throttle as the only input. Figure 13 A shows the response plots with elevator failures, where the 
throttle was reconfigured 0.5s after the elevator faults were identified, i.e. at approximately t= 5.5s and 15.5s, 
respectively. Figure 13B shows the throttle without reconfiguration for comparison. Also, the corresponding state 
variables are shown in Figure 14. It is noted that the reconfiguration successfully stabilizes the system with elevator 
failures. However, because the bias due to faulty elevators cannot be cancelled, some of the states of the closed-loop 
system are not bounded. (The magnitudes of the variables in Figure 14 are based on the linear model and are not 
realistic; they are shown only to demonstrate the effect of non-cancellable bias). 



Figure 13 A. Control signal with reconfiguration 



Figure 13B. Control signal without reconfiguration 
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Time (sec) 

Units: Angle of attack (deg), pitch angle (deg); pitch rate (deg/s); velocity (m/s) 

Figure 14A. State variables without reconfiguration Figure 14B. State variables with reconfiguration 

Although this example used LQG-based reconfigurable controller designs, methods such as H 2 and control 
can be used. 


IV. Sensor Fault Detection and Identification 

This section addresses the sensor failure detection and estimation problem, which is the dual of the actuator 
failure problem addressed in Section II. 

We shall first consider the case where unknown constant bias terms exist in the sensors. 

A. Sensor Bias 

Consider the system 

x= Ax+ Bu + v 0 

y = Cx+y + w (24) 

where C has a full rank (i.e., no redundant sensors), ye R l denotes an unknown bias. As in the case of stuck- 
actuator failures the sensor bias can be estimated by augmenting the unknown bias term y to the system dynamics 
and designing a KBF. The augmented system is: 


77 = 


■*] 

f . j 


A 

0 



W 

w + v 

[o'] 


y = [C I,]tj + w 


(25) 

(26) 


The following theorem gives a necessary and sufficient condition for identifiability of the sensor bias. 

Theorem 2. For the system in (24), the sensor bias y is identifiable if and only if (C, A) is observable and A has no 
eigenvalue at the origin. 

Proof- The above system is observable if and only if 


si- A 


P 


0 

C 


0 1 


si, 


= n + l for s = A(A), and s = 0 




(27) 


Since (C, A) is observable, the first n columns of the test matrix in (27) are linearly independent for all s. For s ± 
0, the last m columns are independent of each other and of the first n columns, i.e., p= n+l. At ,s=0, 
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(28) 


Discrete-time implementation- As in the case of actuator failures, discrete-time formulation is used in 
implementation. In this case the condition in Theorem 2 simply requires that the discretized “A” matrix has no 
eigenvalues at z= 1. 

An alternate method for sensor bias removal that is used in practice is to implement washout filters. For 
example, with a first-order washout filter, the filtered sensor output is given by 

Y f (s) = G wo (s)Y(s) = Y(s) (29) 

where r is the time constant. The drawbacks of a washout filter, however, are: i) along with the bias, it also removes 
the zero-frequency (DC) component of the signal, ii) it introduces a phase lag, and iii) it introduces a non-minimum- 
phase zero. To maintain the minimality of the system and to avoid unstable pole-zero cancellation, the plant should 
not have poles at the origin. 

B. Sensor Outage and Bias- Multiple Redundant Sensors 

We consider the case wherein multiple redundant sensors are available for each measurement. Suppose there are 
l groups of sensors, wherein each (zth) group consists of TV/ identical sensors, i.e., the sensor output of the yth sensor 
within the zth group is 


y 9 =c f x+y v + w v i = !,•••/; y = l. 


N t 


(30) 


where the overhead bar denotes the unknown bias term. Suppose the outputs of all sensors within each (zth) group 
are averaged to get the measurement Y t : 



(31) 


Suppose some of the sensors within each group experience an outage, e.g., if the Ml sensor in the zth group fails, 
its output is 


y ik =[Q\x+y ik + w ik (32) 

In the bias estimation approach, the problem is to i) determine how many sensors within each group have failed, 
and ii) estimate the total bias in Y t . Similar to the actuator failure case, this can be done by designing multiple KFs, 
each tuned to a different sensor failure model. For simplicity, consider the case with two groups of sensors wherein 
the first group has 2 identical sensors and the second group has 3 identical sensors. The three possible sensor failure 
states for Group 1 are: no outages, one outage, and two outages. Similarly there are 4 sensor failure states for Group 
2. Thus the outputs of the two groups are given by 

~Y 1 _ 

‘| =F s Cx + Y + w (33) 

m 

where Y is the effective bias vector and F is the sensor failure matrix which can take on 3x4= 12 values: 


F‘ = 


* \ 

0 


Ol 

I , ($1=1, 0.5,0; S 2 = 1, 0.667,0.333, 0 

S 2 \ 


(34) 


For the multiple model FDI method, the procedure is to augment the system dynamics as in (25), and to design 

i 

12 KBFs, each tuned to one of the 12 sensor models. In general, there would be Y\ (TV. + 1) sensor failure states 

/=i 

including the no-failures and all-failures cases. As long as (FC, A) is observable (i.e., (Q A) is observable and at 
least one sensor within each group is working) and A has no eigenvalues at the origin, it is possible to estimate the 
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bias and the state. As in the case of actuator failures, the model with the highest conditional probability or the 
smallest residual norm determines the correct failure state. However, based on the experience with actuator failures, 
it may not be possible to make a clear distinction between similar sensor failure states. 

We shall next consider the case of simultaneous actuator and sensor failures. 


C. Simultaneous sensor and actuator failures 

If some of the actuators fail and if unknown sensor bias is simultaneously present, it would be necessary to 
identify the extent of the failures (i.e., how many actuators and sensors have failed), estimate the actuator biases and 
estimate and remove the sensor biases. In the multiple model approach, the number of actuator and sensor failure 

m l 

states (and therefore the number of models) would be Y\( v + 1 )]^[ (N. + 1) which can be very large. More 

>1 i=i 

importantly, it is necessary to first check the observability of the complete augmented system: 
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(35) 


y = [C 0 I]z + w 


(36) 


From Theorem 2, this system is not observable because the matrix 


has eigenvalues at the origin. Thus, this 


’A B] 

0 o[| 

multiple model method, in its current form, cannot be applied to the simultaneous actuator/sensor failure case. It can 
be shown that using feedback of sensed output or state, or of the state estimate (to get non-zero closed-loop 
eigenvalues), does not change observability. Therefore other alternate methods must be used for sensor fault 
detection and identification, as discussed in the next subsection. 


D. Alternate Methods for Sensor Failure Detection 

When multiple redundant sensors are available, it is possible to determine which sensors are faulty. If sensor 
bias is not present in non-failed sensors, simple voting can be used to detect and isolate a faulty sensor. For example, 
in the case of triple redundancy, suppose y l9 y 2 y 3 denote the measurements from three sensors. The distances 

between the sensor measurements are: 


d 9 =\y,-yj\\ Uj = 1,2,3 

With n s sensors, there will be n (n -1) / 2 differences. For sensor if, if (j= 1, 2, 3) exceeds a threshold for two or 

more values of y, then sensor K is declared to be faulty and the measurements from the remaining sensors are 
averaged and used as the correct measurement. If there is quadruple redundancy, there would be 6 differences (dg). 
If dig (/=1, 4) exceeds a threshold for 3 values of j, then sensor K is declared to be faulty. In the case of quad 

redundancy, two faulty sensors can be detected in this manner if their failure values (i.e., erroneous measurements) 
are mutually separated by a distance greater than the threshold. 

Since additive white noise is assumed to be present in all the measurements, it is desirable to determine the 
distance as a running average of the difference between sensor measurements at N previous time steps, rather than 
using the instantaneous measurement value, i.e., 

/V l=k-N 

This effectively reduces the measurement noise variance by a factor of N. The distance threshold for fault 
declaration can then be set at, for example, 3 yfw / N where W is the sensor noise variance intensity. The choice of 
N should be such that an 7V-step delay in fault identification is acceptable. 

Other approaches for sensor FDI, (e.g., [26] which uses products of distances) should also be investigated. 
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V. Concluding Remarks 

An indirect adaptive control scheme based on multiple model methods was proposed. Actuator failure detection 
and identification (FDI) for systems having groups of similar actuators was first addressed. The actuator failure 
types consisted of unknown actuators stuck in unknown positions, and reduced effectiveness (actuator fading). The 
approach uses a bank of Kalman filters based on multiple models, and subsequent control reconfiguration to mitigate 
the effect of biases caused by failed actuators, as well as to obtain stability and satisfactory performance using the 
remaining actuators. Conditions for actuator fault identifiability were presented, and methods for control 
reconfiguration were discussed. The scheme utilizes constant-gain Kalman filters and a residual-based decision 
criterion, which substantially reduces complexity and real-time computation needs. Results of application of the 
scheme to an aircraft flight control example indicate that actuator faults can be detected and estimated rapidly and 
accurately, although some difficulty was observed in distinguishing between similar faults and in estimating the 
actuator fading factor. Use of persistent excitation to increase the information content offers promise in this regard 
and will be addressed in future work. The dual problem of sensor FDI for a class of sensor failures (sensor biases 
and outages) was also addressed, and conditions for sensor fault identifiability were presented. It was shown that it 
is not possible to estimate simultaneous actuator and sensor bias faults, and therefore alternate methods for sensor 
FDI need to be investigated. A brief discussion of sensor FDI using multiple redundant sensors was presented. The 
focus of this paper was on FDI; therefore the system parameters were assumed to be known. Future research is 
planned for incorporating real-time system identification in conjunction with fault detection and estimation. 
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